Branch Office VPN Connectivity Wizard

  • Article

Microsoft® Internet Security and Acceleration (ISA) Server 2006 is the security gateway that protects your mission-critical applications from Internet-based threats. Streamline your network with simplified administrator and user experiences through a unified firewall and virtual private network (VPN) architecture, which includes Web caching and bandwidth management, an optimized firewall filtering engine, and comprehensive access controls.

Branch office support is a fundamental feature of ISA Server 2006 Enterprise Edition. Many businesses today have branch offices, and connect these branches to the main office over the Internet using a site-to-site VPN connection. Companies are changing from leased lines to standard Internet connections, because of the higher costs of leased lines. ISA Server 2006 protects the main office and the branch offices from Internet-based threats.

The following features of ISA Server 2006 Enterprise Edition enhance branch office Internet deployments:

  • Branch Office VPN Connectivity Wizard. This wizard simplifies and automates the deployment of the branch office ISA Server computer. It helps you to configure a VPN connection, connect to a Configuration Storage server, and join a domain if required. The wizard reduces the amount of time required to deploy branch office scenarios. The Branch Office VPN Connectivity Wizard performs the following steps:
    • Configures and establishes a site-to-site VPN between the branch and main offices. (Main office configuration has to be done before running the Branch Office VPN Connectivity Wizard.)
    • Enables you to join the domain. (Restart required.)
    • Joins ISA Server 2006 enterprise and array.
  • Create Answer File Wizard. This wizard helps you create an answer file that will be used when running the ISA Server Branch Office VPN Connectivity Wizard at the branch office.
  • The Create Site-to-Site Connection Wizard has been enhanced, eliminating the need to create an access rule and a networking rule after running this wizard.
  • Communication between an array member and the Configuration Storage server has been enhanced when communicating over a slow link.
  • Microsoft update caching. The Microsoft update caching feature efficiently caches updates, reducing the impact of deploying software updates in branch offices.
  • HTTP compression. With Hypertext Transfer Protocol (HTTP) compression configured, ISA Server can compress content to preserve limited bandwidth, and accelerate the Web browsing experience in the branch office by compressing content at the branch office before sending over the wide area network (WAN) or VPN.
  • Traffic prioritization. Packets can be differentiated to prioritize critical business applications, so they are preferentially allocated the bandwidth needed to connect between the branch and the main office.

This document focuses on how to connect your branch office and main office using a site-to-site VPN connection using the Branch Office VPN Connectivity Wizard.

Contents

About This Document

Branch Office Scenarios

Background Information

Walk-Throughs

Installation and Configuration of ISA Server 2006 at the Miami Office

Appendix A Create Answer File for Branch Office VPN Connectivity Wizard

Appendix B Published Configuration Storage Server

Appendix C Change Preshared Keys or Certificates

Appendix D Troubleshooting

About This Document

This guide includes instructions to configure a branch office deployment using the Branch Office VPN Connectivity Wizard on the branch office ISA Server computer.

In this document, the following scenarios are discussed:

  • Configuring the VPN branch office using Layer Two Tunneling Protocol (L2TP) over Internet Protocol security (IPsec), using the Branch Office VPN Connectivity Wizard.
  • Configuring the VPN branch office using IPsec tunneling mode, using the Branch Office VPN Connectivity Wizard.

Before performing the procedures in this document, you should be familiar with the following concepts:

  • Installing ISA Server 2006
  • Installing ISA Server Configuration Storage server
  • Creating arrays
  • Installing ISA Server services
  • Installing both ISA Server services and Configuration Storage server
  • Configuring site-to-site VPN connections in ISA Server 2006

For more information about installing ISA Server 2006, see the Quick Start Guide on the product CD.

For more information about configuring site-to-site VPN connections, see "Site-to-Site VPN in ISA Server Enterprise Edition" at the Microsoft TechNet Web Site.

Branch Office Scenarios

The scenarios in which a branch office connects to the main office are categorized by the type of connection between the main office and the branch office, and the domain or workgroup configuration of the branch office ISA Server computer. The computer setting of the branch office ISA Server computer determines whether the ISA Server computer is a member of the main office domain or a domain with a trust relationship with the main office, or a member of a workgroup or a domain that does not have a trust relationship with the main office. The following table summarizes the possible scenarios.

Connection type Branch office ISA Server computer membership

Leased line

Workgroup

Leased line

Domain or trusted domains

Internet (site-to-site VPN)

Workgroup

Internet (site-to-site VPN)

Domain or trusted domains

Background Information

In this example, Contoso, Ltd is experiencing tremendous growth and has decided to expand their offices worldwide. The Contoso main office is located in Miami, and they have decided to open two branch offices, one in London and the second in Sydney. Contoso will deploy ISA Server 2006 Enterprise Edition at the main office and at the two branch offices, and connect each branch office to the main office through the Internet through a site-to-site VPN connection. The deployment of ISA Sever 2006 Enterprise Edition will provide Contoso with central management and reporting for all of their ISA Server computers.

Network

The following section describes the Contoso network layout. Each office is assigned a network, making sure there is no overlapping of network ranges.

The following table lists the network address ranges for each office.

Office Network name Network range Network address

Miami

MIA_Net

10.0.0.1–10.0.0.254

10.0.0 /24

London

LON_Net

10.1.0.1–10.1.0.254

10.1.0 /24

Sydney

SYD_Net

10.2.0.1–10.2.0.254

10.2.0 /24

Test Internet

Test_Internet

172.16.0.1–172.16.255.255

Computers and IP Addresses

The following section describes the computers, their functions, and the IP address assignment for each computer.

The following table provides information regarding the computers used in this guide.

Computer name Operating system Additional software Office Comments

miadc01

Microsoft Windows Server® 2003 with Service Pack 1 (SP1)

Domain controller, Domain Name System (DNS), Internet Information Services (IIS), certification authority (CA)

Miami

Domain controller and internal CA.

Domain Name: corp.contoso.com

miacss01

Windows Server 2003 SP1

ISA Server 2006 Enterprise Edition

Miami

Configuration Storage server

miaisa01

Windows Server 2003 SP1

ISA Server 2006 Enterprise Edition

Miami

ISA Server array member located in the main office

lonisa01

Windows Server 2003 SP1

ISA Server 2006 Enterprise Edition

London

ISA Server array member located in LON_Net

client01

Windows® XP Professional with Service Pack 2 (SP2)

Microsoft Office Word 2003, Office Excel® 2003, and Office Outlook® 2003

London

Client located in LON_Net to test that VPN is functioning properly

sydisa01

Windows Server 2003 SP1

ISA Server 2006 Enterprise Edition

Sydney

ISA Server array member located in SYD_Net

client02

Windows XP Professional with SP2

Word 2003, Excel 2003, and Outlook 2003

Sydney

Client located in SYD_Net to test that VPN is functioning properly

router01

Windows Server 2003 SP1

None

Test Internet

Simulated Internet routing

The following table provides information regarding the IP address assignments for each computer used in this guide.

Computer name Internal IP address Internal subnet mask External IP address External subnet mask DNS Default gateway

miadc01

10.0.0.2

255.255.255.0

None

None

10.0.0.2

10.0.0.254

miacss01

10.0.0.102

255.255.255.0

None

None

10.0.0.2

10.0.0.254

miaisa01

10.0.0.254

255.255.255.0

172.16.0.2

255.255.255.0

10.0.0.2

172.16.0.1

lonisa01

10.1.0.254

255.255.255.0

172.16.1.2

255.255.255.0

10.0.0.2

172.16.1.1

client01

10.1.0.101

255.255.255.0

None

None

10.0.0.2

10.1.0.254

sydisa01

10.2.0.254

255.255.255.0

172.16.2.2

255.255.255.0

10.0.0.2

172.16.2.1

client02

10.2.0.101

255.255.255.0

None

None

10.0.0.2

10.2.0.254

Router01 is simulating the Internet and has three network adapters defined with the following addresses. Router01 is also providing routing services between each of the three networks.

Network adapter IP address Subnet mask

MIA

172.16.0.1

255.255.255.0

LON

172.16.1.1

255.255.255.0

SYD

172.16.2.1

255.255.255.0

The following figure illustrates the configuration used in this guide.

Bb794783.24aa0037-7cde-44d8-9e1a-76a49ab12c7c(en-us,TechNet.10).jpg

Name Resolution

The branch office array members need to be able to resolve names on the Internal network at the main office. One way to accomplish this is to have the branch office array members point to a DNS server located in the main office network. A second way to accomplish this is to add entries to the Hosts file. This solution is more difficult to maintain due to the fact that when a server's address changes, you will need to update all of the array members' Hosts files.

In this scenario, the array members are pointing to 10.0.0.2 as their DNS server. If you are not able to connect to the Configuration Storage server or the domain, confirm that name resolution is configured as required in your scenario.

Walk-Throughs

The goal of the walk-throughs is to properly configure the following scenarios:

  • Branch office connected over an L2TP site-to-site VPN connection, where ISA Server 2006 will join the corp.contoso.com domain.
  • Branch office connected over an Internet Protocol security (IPsec) tunnel mode site-to-site VPN connection, where ISA Server 2006 will remain in a workgroup.

This section is divided ito the following three sections:

  • Installation and Configuration of ISA Server 2006 at the Miami Office
  • Configuration and Deployment of L2TP Site-to-Site Connection Between the Miami and London Offices
  • Configuration and Deployment of IPsec Tunnel Mode Site-to-Site Connection Between the Miami and Sydney Offices

Installation and Configuration of ISA Server 2006 at the Miami Office

Perform the following procedures at the main office:

  • Install the Configuration Storage Server and Create an Array for Each Office
  • Add the Configuration Storage Server to the Enterprise Remote Management Computers Computer Set for Each Array
  • Install Main Office Array Member

Install the Configuration Storage Server and Create an Array for Each Office

Because the Sydney office will not be joining the corp.contoso.com domain, you need an exported server certificate available during the installation of the Configuration Storage sever. Make sure the FQDN used in the certificate matches the full computer name of the Configuration Storage server.

To install the ISA Server 2006 Configuration Storage server, perform the following task on the miacss01 computer.

To install the Configuration Storage server and create an array for each office

  1. Install Windows Server 2003 with SP1.

  2. Run Windows Update to make sure you have all of the latest security updates installed.

  3. Run ISA Server 2006 Setup. Follow these steps:

    1. Insert the ISA Server 2006 Enterprise Edition CD into the CD drive, or run ISAAutorun.exe from the shared network drive.
    2. Follow the instructions in the ISA Server 2006 Quick Start Guide to install the Configuration Storage server. Because the Sydney ISA Server computer will not be joining the domain, during the installation, on the Enterprise Deployment Environment page, choose to use certificate authentication, and provide the location of the exported server certificate.

  4. After Setup has completed, create an array for the main office and one for each branch in the scenario. For more information, see the ISA Server 2006 Quick Start Guide. Use the following information for the array names:

    • MIA
    • LON
    • SYD

    Note

    You can create the array from the branch office while running the Branch Office VPN Connectivity Wizard. However, over a slow link, it will take a long time to create the array. We recommend that before performing this procedure, you create the array from the ISA Server Management snap-in running on the Configuration Storage server.

  5. Click the Apply button in the details pane to save the changes and update the configuration.

Add the Configuration Storage Server to the Enterprise Remote Management Computers Computer Set for Each Array

To enable monitoring of the array members from the Configuration Storage server, you need to add the Configuration Storage server to the Enterprise Remote Management Computers computer set. The Enterprise Remote Management Computers computer set is a predefined computer set that by default is included in the Remote Management system policy for each array. When modifying the Enterprise Remote Management Computers computer set, you need to modify one computer set as opposed to modifying the Remote Management Computers computer set for each array. If you create the array during the installation of ISA Server services, the Configuration Storage server is automatically added to the Remote Management Computers computer set.

To modify the Enterprise Remote Management Computers computer set, perform the following procedure on the miacss01 computer.

To modify the Enterprise Remote Management Computers computer set

  1. On the Configuration Storage server, open ISA Server Management, expand Microsoft Internet Security and Acceleration Server 2006, and then expand Enterprise.

  2. Select Enterprise Policies.

  3. In the task pane, on the Toolbox tab, click Network Objects.

  4. Expand Computer Sets, select Enterprise Remote Management Computers, and click Edit.

  5. Click Add, and select Computer.

  6. In the Name field, type a name for the computer, enter the IP address of the Configuration Storage server, 10.0.0.102, in the Computer IP Address field, and then click OK.

  7. Click OK to close the properties of the Enterprise Remote Management Computers computer set.

  8. In the Firewall Policy details pane, click Apply to apply the changes.

Install Main Office Array Member

To install ISA Server 2006 services, perform the following procedure on the miaisa01 computer.

To install the main office array member

  1. Install Windows Server 2003 with SP1 joining the corp.contoso.com domain.

  2. Run Windows Update to make sure you have all of the latest security updates installed.

  3. Run ISA Server 2006 Setup. Insert the ISA Server 2006 Enterprise Edition CD into the CD drive, or run ISAAutorun.exe from the shared network drive.

  4. Follow the instructions in the ISA Server 2006 Quick Start Guide located on the product CD, to install the array member.

    Important

    Define the Internal network using the address range options. Use the range of 10.0.0.1 to 10.0.0.254.

Configuration and Deployment of L2TP Site-to-Site Connection Between the Miami and London Offices

In this scenario, Contoso has decided to connect the London office using an L2TP over IPsec VPN connection, with IPsec authentication using a certificate. The ISA Server computer will join the domain in the Miami office.

In this section, you will do the following:

  1. Create a Site-to-Site VPN Connection Between Miami and London Networks
  2. Create an answer file for remote VPN site (optional). For more information about creating an answer file, see Appendix A Create Answer File for Branch Office VPN Connectivity Wizard.
  3. Install ISA Server 2006 Enterprise Edition
  4. Run the Branch Office VPN Connectivity Wizard
  5. Create an Access Rule for the LON Array
  6. Test the Site-to-Site VPN Connection

Create a Site-to-Site VPN Connection Between Miami and London Networks

In this section, you will run the Create Site-to-Site Connection Wizard. The Create Site-to-Site Connection Wizard does the following:

  • Creates the network for the London branch office and configures a site-to-site VPN connection between the main office and London network using L2TP over IPsec mode.
  • Creates a network route relationship between the main office network and London office network.
  • Creates an access rule for traffic to and from the main office and the London office.

The user shown in the following table needs to be created and given dial-in permissions. User accounts are required for L2TP site-to-site VPN connections.

User name Password Location

LON_Net

Passw0rd

Corp.contoso.com domain

Gather the following information before running the Create VPN Site-to-Site Connection Wizard.

Item Options Value

Network name for remote network.

None

LON_Net

VPN protocol.

L2TP over IPsec

IPsec tunnel mode

Point-to-Point Tunneling Protocol (PPTP)

L2TP over IPsec

IP address assignment.

How IP addresses are assigned to incoming VPN connections.

Bb794783.note(en-us,TechNet.10).gifNote:
The range assigned cannot overlap with any other networks defined. If the default gateway of the computers in the Miami network is not the ISA Server computer, you need to ensure that static address range is routed to the ISA Server computer.

Static address pool

Dynamic Host Configuration Protocol (DHCP)

Bb794783.note(en-us,TechNet.10).gifNote:
DHCP is not supported on multiple-server arrays.

Static Pool

Range: 11.0.0.1–11.0.0.254

Remote site VPN server. This is the external IP address of the remote office ISA Server computer.

None

172.16.1.1

L2TP over IPsec authentication. How each server will authenticate each other. In this scenario, the authentication is done using certificates.

Bb794783.note(en-us,TechNet.10).gifImportant:
For security reasons, we recommend the use of a dedicated private CA for certificates that will be used for IPsec authentication.

Certificate authentication

Preshared key authentication

Certificate

Bb794783.note(en-us,TechNet.10).gifNote:
Confirm that you have a valid server certificate installed in the local computer certificate store of the array member.

Remote network address range.

Add Range

Add Network

10.1.0.1–10.1.0.254

To create a site-to-site VPN network for the London office, perform the following procedure on the miacss01 computer.

To create a site-to-site VPN network for the London office

  1. In the console tree of ISA Server Management, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand MIA, and then click Virtual Private Networks (VPN).

  2. In the details pane, select the Remote Sites tab.

  3. On the Tasks tab, click Create VPN Site-to-Site Connection. Use the wizard to create the network as outlined in the following table.

Page Field or property Setting

Welcome

Site-to-site network name

Note   The network name must match a user account that the ISA Server array member can authenticate to. This user account will be used by the remote ISA Server array member when initiating a VPN connection to the main office.

Type LON_Net.

VPN Protocol

Select the VPN protocol used to protect traffic between sites.

Select Layer Two Tunneling Protocol (L2TP) over IPsec.

Local Network VPN Settings

Specify how IP addresses are assigned to incoming VPN connections.

Select Static address pool, and click Add.

Server IP Address Range

Select the server

Start address

End address

Select miaisa01.

Type 11.0.0.1.

Type 11.0.0.254.

Connection Owner

Select connection owner.

Select miaisa01.

Remote Site Gateway

Select the remote site VPN server. Enter the external IP address or fully qualified domain name (FQDN) of the remote ISA Server computer.

Type 172.16.1.2.

Remote Authentication

If you want the main office to initiate the VPN connection to the branch office, specify the following information. For example to allow the Configuration Storage server to monitor the remote array member. The remote ISA Server 2006 computer must be able to validate this user account.

User name

Domain

Password

Confirm password

Select Allow the local site to initiate connections to the remote site, using this user account.

Type MIA_Net.

Type lonisa01.

Type Passw0rd.

Type Passw0rd.

L2TP/IPsec Authentication

Specify the IPsec authentication method

Note   A server certificate should be installed in the local computer certificate store.

Select Certificate authentication (recommended)

Network Addresses

Specify the network address for the remote network.

Click Add Range.

IP Address Range Properties

Start address

End address

Type 10.1.0.0.

Type 10.1.0.254.

Remote NLB

If Network Load Balancing (NLB) is enabled on the remote site, specify the dedicated IP addresses of the remote site gateway.

Clear the The remote site is enabled for Network Load Balancing check box.

Site-to-Site Network Rule

Specify if you want to create a network rule for this network now, or if you will create one later.

Select Create a network rule specifying a route relationship.

If you need to add additional networks to the rule, click Add to select the additional networks.

Site-to-Site Network Access Rule

Specify if you want to create an access rule for the remote network, or if you will create one later.

Select Create an allow access rule.

For Apply the rule to these protocols, select All outbound traffic.

Completing the New VPN Site-to-Site Network Wizard

Review the settings.

Click Back to change any settings. Click Finish to complete the wizard.

Remaining VPN Site-to-Site Tasks

Review additional required tasks.

Click OK.

Note

If you selected I'll create a network rule later or I'll create an access rule later, you need to manually add the correct network and access rules. For more information, see the product Help.

Install ISA Server 2006 Enterprise Edition

In this section, you will install both ISA Server services and the Configuration Storage server on the branch office ISA Server computer. To run the Branch Office VPN Connectivity Wizard, both ISA Server services and the Configuration Storage server must be installed. After successfully running the Branch Office VPN Connectivity Wizard, the Configuration Storage server is automatically removed.

Perform the following procedure on the lonisa01 computer.

To install ISA Server 2006 Enterprise Edition

  1. Install Windows Server 2003 with SP1.

  2. Run Windows Update to make sure you have all of the latest security updates installed.

  3. Run ISA Server 2006 Setup. Follow these steps:

    1. Insert the ISA Server 2006 Enterprise Edition CD into the CD drive, or run ISAAutorun.exe from the shared network drive.
    2. Follow the instructions in the ISA Server 2006 Quick Start Guide to install the Configuration Storage server. During the installation, on the Setup Scenarios page, choose Install both ISA Server services and Configuration Storage server.
    3. On the Enterprise Installations Options page, select Create a new ISA Server enterprise.
    4. After the installation is complete, on the Installation Wizard Completed page, do not select Invoke ISA Server Management when the wizard closes. Click Finish.

Run the Branch Office VPN Connectivity Wizard

The Branch Office VPN Connectivity Wizard enables you to connect your branch office ISA Server computer to the main office and join the ISA Server enterprise through a site-to-site VPN connection.

The Branch Office VPN Connectivity Wizard will perform the following procedures:

  • Configure and establish a site-to-site VPN connection with the main office.
  • Create the necessary user account for L2TP VPN connections.
  • Create a network route rule with the main office network.
  • Join the domain or remain in a workgroup environment.
  • Join the ISA Server 2006 enterprise located in the main office.
  • Join an array.
  • After successfully joining the ISA Server 2006 enterprise, uninstall the Configuration Storage server component from the server.

Before you run the Branch Office VPN Connectivity Wizard, do the following:

  • Do not clear the Client for Microsoft Networks check box in the properties of the external network adapter, or you will not be able to join the domain.
  • Install a computer certificate from the same private certification authority that issued the certificate for miaisa01, into the local computer certificate store on the lonisa01 computer. In this scenario, the issuing CA is miadc01.
  • The branch office array member needs to have 10.0.0.2 configured as the DNS server, or name resolution might not work properly. The array members in the branch offices will need to resolve the following to successfully complete the wizard:
  • Domain name to join the corp.contoso.com domain
  • Configuration Storage server to join the enterprise

Gather the following information before running the Create VPN Site-to-Site Connection Wizard.

Item Options: Value

Network name for remote network.

None

MIA_Net

VPN protocol.

L2TP over IPsec

IPsec tunnel mode

Point-to-Point Tunneling Protocol

L2TP over IPsec

IP address assignment.

How IP addresses are assigned to incoming VPN connections.

Bb794783.note(en-us,TechNet.10).gifNote:
The range assigned cannot overlap with any other networks defined. If the default gateway of the computers in the Miami network is not the ISA Server computer, you need to ensure that static address range is routed to the ISA Server computer.

Static address pool

Dynamic Host Configuration Protocol (DHCP)

Bb794783.note(en-us,TechNet.10).gifNote:
DHCP is not supported on multiple-server arrays.

Static Pool

Range: 11.1.0.1–11.1.0.254

Remote site VPN server. This is the external IP address of the remote office ISA Server computer.

None

172.16.0.1

L2TP over IPsec authentication. How each server will authenticate each other. In this scenario, the authentication is done using certificates.

Bb794783.note(en-us,TechNet.10).gifImportant:
For security reasons, we recommend the use of a dedicated private CA for certificates that will be used for IPsec authentication.

Certificate authentication

Preshared key authentication

Certificate

Bb794783.note(en-us,TechNet.10).gifNote:
Confirm that you have a valid server certificate installed in the local computer certificate store.

Remote network address range.

Add Range

Add Network

10.0.0.1–10.0.0.254

To run the Branch Office VPN Connectivity Wizard, perform the following procedure on the lonisa01 computer.

To run the Branch Office VPN Connectivity Wizard for the London branch office

  1. Click Start, and then click Run. In the Command Prompt window, type cmd, and then click OK.

  2. At the command prompt, browse to the ISA Server 2006 installation folder. For example, type cd "c:\Program Files\Microsoft ISA Server" if you installed ISA Server to drive C using the default location.

  3. To run the Branch Office VPN Connectivity Wizard, at the command prompt, type AppCfgWzd.exe.

  4. Use the wizard to connect the branch office to the main office as outlined in the following table.

Page Field or property Value

Welcome

None

Click Next.

Configuration Setting Source

Specify if you will enter the configuration information manually or if configuration information will be set automatically by an answer file. For more information about creating an answer file, see Appendix A Create Answer File for Branch Office VPN Connectivity Wizard.

Select Manually.

Connection Type

Select the protocol used for the VPN connection. This must match what you configured at the main office.

Select Layer Two Tunneling Protocol (L2TP) over IPsec.

Array Server Deployment

Specify if this is the first server deployed in the array, or if a server is already deployed in the array.

Select This is the first server deployed in the array.

Local Site-to-Site Authentication

Specify the following:

Network name

Password

Confirm password

Type MIA_Net.

Type Passw0rd

Type Passw0rd.

Remote Site VPN IP Addresses

Address ranges of remote VPN network

Start address

End address

Remote VPN server (IP address or name)

Click Add Range.

Type 10.0.0.1.

Type 10.0.0.254.

Type 172.16.0.2.

Local Network VPN Settings

Specify how IP addresses are assigned to incoming VPN client connections.

Select Static Pool, and click Add Range.

IP Address Range Properties

Start address

End address

Type 11.1.0.1.

Type 11.1.0.254.

Remote Authentication

Specify the credentials used by the local site to connect to the remote site.

Bb794783.note(en-us,TechNet.10).gifNote:
The user name must match the name of the network created at the main office for this branch office.

User Name

Domain

Password

Confirm password

Type LON_Net.

Type corp.contoso.com.

Type Passw0rd.

Type Passw0rd.

IPsec Authentication

Specify which authentication method to use.

Select Use server certificate.

IPsec Certificate

None

Select Use existing certificate.

Ready to Configure the VPN Connection

Review your VPN settings.

Bb794783.note(en-us,TechNet.10).gifNote:
The creation and configuration of the VPN tunnel can take between 10 and 20 minutes depending on your link speed and latency.

Click Next to create the VPN connection.

Join Remote Domain

Specify if you want to remain in a workgroup or join the main office domain.

Bb794783.note(en-us,TechNet.10).gifNote:
If you select to join a domain, your computer will automatically restart after successfully joining the domain. You must log on with the same user account after the computer restarts. After you log on, the Branch Office VPN Connectivity Wizard will automatically restart and continue where you left off.

Select Join a Domain and type corp.contoso.com in the Domain name (FQDN) field.

Branch Office VPN Connectivity Wizard

None

Click OK in the dialog box that explains that the computer will be restarted after joining the domain.

Join Domain

Enter the user name and password with an account with permissions to join the domain.

User name

Password

Type corp\administrator.

Type Passw0rd.

Locate Configuration Storage Server

Configuration Storage server (type the FQDN)

Connection Credentials

Type miacss01.corp.contoso.com.

Select Connect using this account.

Type corp\administrator.

Type Passw0rd.

Securely Published Configuration Storage Server

Specify the published Configuration Storage server.

For more information on publishing your Configuration Storage server, see Appendix B Published Configuration Storage Server

Click Next.

Array Membership

None

Select Join an existing array.

Join Existing Array

Array name

Type LON.

Configuration Storage Server Authentication Options

Select how this computer will authenticate to the Configuration Storage server.

Select Windows Authentication.

Ready to Configure ISA Server

Review your settings.

Click Next.

Completing the ISA Server Branch Office VPN Connectivity Wizard

None

Click Finish.

Note the following:

  • This wizard can take approximately 30 minutes to complete all the required tasks depending on link speed and latency.
  • The IP address used by the array member to join the domain is an address from the static address pool. This address is used by the domain controller to create the DNS entry for this server. This address cannot be used by the computers in the main office, for example the Configuration Storage server, to communicate with the array computer in the branch office. You need to change the DNS entry to reflect the actual internal IP address or modify the properties of the server, for monitoring to work. For more information about how to change the Remote Communication server property, see the product Help.

Create an Access Rule for the LON Array

An access rule allows or denies traffic based upon protocol, source, destination, and user sets. In this rule, you allow all protocols for traffic between the first branch office to and from the main office. Perform the following procedure from the miacss01 computer.

To create an access rule

  1. In the console tree of ISA Server Management, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand LON, and then click Firewall Policy (LON).

  2. In the task pane, on the Tasks tab, click Create Access Rule. Create the rule as outlined in the following table.

Page Field or property Setting

Welcome

Access rule name

Type LON MIA Access.

Rule Action

Action to take when rule conditions are met

Select Allow.

Protocols

This rule applies to

From the drop-down list, select All outbound traffic.

Access Rule Sources

Select the networks that will be considered the source for the traffic.

Click Add, expand Networks, and select the following networks:

Internal and MIA_Net.

Access Rule Destinations

Select the networks that will be considered the destination for the traffic.

Click Add, expand Networks, and select the following networks:

Internal and MIA_Net.

User Sets

This rule applies to requests from the following user sets

Select All Users.

Completing the New Access Rule Wizard

Review settings.

Click Finish.

To make sure that the array member has been properly updated with the new policy, use the following procedure.

To monitor the array for policy update

  1. In the console tree of ISA Server Management, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand LON, and then click Monitoring.

  2. In the details pane, select the Configuration tab.

  3. When the new policy has been updated, you will see the following:

    • Status shows: Synced.
    • Description shows: Server configuration matches the Configuration Storage server configuration.

Test the Site-to-Site VPN Connection

Perform the following procedure from the client01 computer located in the London office.

To test the VPN connection

  • Open Microsoft Internet Explorer® and browse to the following URL: https://miadc01/certsrv. You should now see the page showing the following figure.

    Bb794783.f4fd552a-b778-4615-acb9-145c2603f7d8(en-us,TechNet.10).jpg

Configuration and Deployment of IPsec Tunnel Mode Site-to-Site Connection Between the Miami and Sydney Offices

In this scenario, Contoso has decided to connect the Sydney office using an IPsec tunnel mode VPN connection, with IPsec authentication using a certificate. The ISA Server computer will not join the domain and will remain in a workgroup.

In this section, you will do the following:

  1. Create a Site-to-Site VPN Connection Between Miami and Sydney Networks
  2. Create an answer file for remote VPN site (optional). For more information about creating an answer file, see Appendix A Create Answer File for Branch Office VPN Connectivity Wizard.
  3. Install ISA Server 2006 Enterprise Edition
  4. Run the Branch Office VPN Connectivity Wizard
  5. Create an Access Rule for the SYD Array
  6. Test the Site-to-Site VPN Connection

Create a Site-to-Site VPN Connection Between Miami and Sydney Networks

In this section, you will run the Create Site-to-Site Connection Wizard. The Create Site-to-Site Connection Wizard will do the following:

  • Creates the network for the Sydney branch office and configure a site-to-site VPN connection between the main office and Sydney network using IPsec tunnel mode.
  • Creates a network route rule between the main office network and Sydney office network.
  • Creates an access rule for traffic to and from the main office and the Sydney office.

Gather the following information before running the Create VPN Site-to-Site Connection Wizard.

Item Options: Value

Network name for remote network.

None

SYD_Net

VPN protocol.

L2TP over IPsec

IPsec tunnel mode

Point-to-Point Tunneling Protocol (PPTP)

IPsec tunnel mode

Remote VPN gateway IP address.

None

172.16.2.2

Local VPN gateway IP address.

None

172.16.0.2

IPsec authentication. How each server will authenticate each other. In this scenario, the authentication will be done using certificates.

Bb794783.note(en-us,TechNet.10).gifImportant:
For security reasons, we recommend the use of a dedicated private CA for certificates that will be used for IPsec authentication.

Certificate authentication

Preshared key authentication

Certificate

Bb794783.note(en-us,TechNet.10).gifNote:
Install an IPsec certificate on the miaisa01 computer from a private certification authority into the local computer certificate store. In this scenario, the issuing CA is miadc01.

Remote network address range.

Bb794783.note(en-us,TechNet.10).gifNote:
To enable the remote array member to communicate with the Configuration Storage server, you need to add the external IP address of the remote array server to the list of remote network addresses.

Add Range

Add Network

10.1.0.1–10.1.0.254

172.16.2.2–172.16.2.2

To create a site-to-site VPN connection, perform the following procedure on the miacss01 computer.

To create a site-to-site VPN Network for Sydney network

  1. In the console tree of ISA Server Management, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand MIA, and then click Virtual Private Networks (VPN).

  2. In the details pane, select the Remote Sites tab.

  3. On the Tasks tab, click Create VPN Site-to-Site Connection. Use the wizard to create the network as outlined in the following table.

Page Field or property Setting

Welcome

Site-to-site network name

Type SYD_Net.

VPN Protocol

Select the VPN Protocol used to protect traffic sent between the sites

Select IP Security protocol (IPsec) tunnel mode.

Connection Owner

Select connection owner.

From the drop-down list, select miaisa01.

Connection Settings

Remote VPN gateway IP address

Local VPN gateway IP address

Type 172.16.2.2.

Type 172.16.0.2.

IPsec Authentication

Specify which IPsec authentication method to use.

Select Use a certificate from this certificate authority (CA), click Browse, and select miadc01.

Network Addresses

Specify the network address ranges for the remote network.

Bb794783.note(en-us,TechNet.10).gifNote:
The external IP address of the remote ISA Server computer is automatically added to the network address range. This address is required to enable communication between the remote ISA Server computer and the Configuration Storage server located in the Miami network. If you remove this address range, you will not be able to communicate with the Configuration Storage server.

To add the internal network for SYD_Net, click Add Range.

IP Address Range Properties

Start address

End address

Type 10.2.0.1.

Type 10.2.0.254.

Site-to-Site Network Rule

Specify if you want to create a network rule for this network now, or if you will create one later

Select Create a network rule specifying a route relationship.

If you need to add additional networks to the rule, click Add to select the additional networks.

Bb794783.note(en-us,TechNet.10).gifNote:
You can only specify a route network relationship in the wizard. To specify a network address translation (NAT) network relationship, select I'll create a network rule later.

Site-to-Site Network Access Rule

Specify if you want to create an access rule for the remote network, or if you will create one later.

Select Create an allow access rule.

For Apply the rule to these protocols, select:

  • All outbound traffic.

Completing the New VPN Site-to-Site Network Wizard

Review the settings.

Click Back to change any settings. Click Finish to complete the wizard.

Remaining VPN Site-to-Site Tasks

Review additional required tasks.

Click OK.
Modify array authentication properties for connection to Configuration Storage server

Because the array member for the Sydney branch office will remain in a workgroup configuration and will not be joining the domain, you must change the following array properties:

  • Change the authentication method used to connect to the Configuration Storage server.
  • Add the administrator account to User (mirrored accounts) allowed to monitor this array.

Perform the following procedure on the miacss01 computer.

To change the authentication type used for connections between ISA Server and the Configuration Storage server

  1. In the console tree of ISA Server Management, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, and select SYD.

  2. In the task pane, on the Tasks tab, click Configure Array Properties.

  3. Select the Configuration Storage tab.

  4. Click Select for Select the authentication type used for connections between ISA Server and the Configuration Storage server.

  5. Select Authentication over SSL encrypted channel and click OK.

  6. Click OK to close the array properties window.

  7. Open the SYD array properties window again. See step 1 and step 2.

  8. Select the Assign Roles tab and click Add under Users (mirrored accounts) allowed to monitor this array.

  9. For Group or User, type administrator.

  10. For Role, select ISA Server Array Auditor from the drop-down list and click OK.

  11. Click OK to close the array properties window.

  12. Click Apply in the details pane to save and apply configuration changes.

Install ISA Server 2006 Enterprise Edition

In this section, you will install both ISA Server services and the Configuration Storage server on the branch office ISA Server computer. To run the Branch Office VPN Connectivity Wizard, both ISA Server services and the Configuration Storage server must be installed. After successfully running the Branch Office VPN Connectivity Wizard, the Configuration Storage server is removed.

Perform the following procedure on the sydisa01 computer.

To install ISA Server 2006 Enterprise Edition

  1. Install Windows Server 2003 with SP1.

  2. Run Windows Update to make sure you have all of the latest security updates installed.

  3. Run ISA Server 2006 Setup. Follow these steps:

    1. Insert the ISA Server 2006 Enterprise Edition CD into the CD drive, or run ISAAutorun.exe from the shared network drive.
    2. Follow the instructions in the ISA Server 2006 Quick Start Guide to install the Configuration Storage server. During the installation, on the Setup Scenarios page, choose Install both ISA Server services and the Configuration Storage server.
    3. On the Enterprise Installations Options page, select Create a new ISA Server enterprise.
    4. After the installation is complete, on the Installation Wizard Completed page, do not select Invoke ISA Server Management when the wizard closes. Click Finish.

Run the Branch Office VPN Connectivity Wizard

The Branch Office VPN Connectivity Wizard will perform the following procedures:

  • Configure and establish a site-to-site VPN connection with the main office.
  • Create a network route rule between the Sydney and Miami networks.
  • Allow you to join the domain or remain in a workgroup environment.
  • Join the ISA Server 2006 enterprise located in the main office.
  • Join an array.
  • After successfully joining the ISA Server 2006 enterprise, uninstall the Configuration Storage server component from the server.

Before you run the Branch Office VPN Connectivity Wizard, do the following:

  • Install an IPsec certificate from the same private certification authority (CA) that issued the certificate for miaisa01, into the local computer certificate store on the sydisa01 computer. In this scenario, the issuing CA is miadc01.
  • The branch office array member needs to have 10.0.0.2 configured as its DNS server, or name resolution might not work properly. The array member in the branch office needs to resolve the following address, miacss01.corp.contoso.com.
  • Because the Sydney ISA Server computer will not be joining the domain, sydisa01 will establish a Secure Sockets Layer (SSL) connection with the Configuration Storage server. Install the root CA certificate from the CA that issued the server certificate that is installed on the Configuration Storage server.

Gather the following information before running the Branch Office VPN Connectivity Wizard.

Item Options: Value

Network name for remote network.

None

MIA_Net

VPN protocol.

L2TP over IPsec

IPsec tunnel mode

Point-to-Point Tunneling Protocol (PPTP)

IPsec tunnel mode

Remote VPN gateway IP address.

None

172.16.0.2

Local VPN gateway IP address.

None

172.16.2.2

IPsec authentication. How each server will authenticate each other. In this scenario, the authentication will be done using certificates.

Bb794783.note(en-us,TechNet.10).gifImportant:
For security reasons, we recommend the use of a dedicated private CA for certificates that will be used for IPsec authentication.

Certificate authentication

Preshared key authentication

Certificate

Bb794783.note(en-us,TechNet.10).gifNote:
Install an IPsec certificate on the sydisa01 computer from a private certification authority into the local computer certificate store. In this scenario, the issuing CA is miadc01.

Remote network address range.

Add Range

Add Network

Add Range

10.0.0.1–10.0.0.254

To run the Branch Office VPN Connectivity Wizard, perform the following procedure on the sydisa01 computer.

To run the Branch Office VPN Connectivity Wizard for the Sydney branch office

  1. Click Start, and then click Run. In the Command Prompt window, type cmd, and then click OK.

  2. At the command prompt, browse to the ISA Server 2006 installation folder. For example, type cd "c:\Program Files\Microsoft ISA Server" if you installed ISA Server to drive C using the default location.

  3. To run the Branch Office VPN Connectivity Wizard, at the command prompt, type AppCfgWzd.exe.

  4. Use the wizard to connect the branch office to the main office as outlined in the following table.

Page Field or property Value

Welcome

None

Click Next.

Configuration Setting Source

Specify if you will enter the configuration information manually or if configuration information will be set automatically by an answer file. For more information about creating an answer file, see Appendix A Create Answer File for Branch Office VPN Connectivity Wizard.

Select Manually.

Connection Type

Select the protocol used for the VPN connection. This must match what you configured at the main office.

Select IP Security protocol (IPsec) tunnel mode.

Array Server Deployment

Specify if this is the first server deployed in the array, or if a server is already deployed in the array.

Select This is the first server deployed in the array.

IPsec Connection Settings

Specify the following VPN remote site settings:

Type the name for the site-to-site network that will be created to represent the remote site on the array.

Type the remote VPN gateway IP address.

Type the local VPN gateway IP address.

Type MIA_Net.

Type 172.16.0.2.

Type 172.16.2.2.

Remote Site VPN IP Addresses

Specify the IP address range of the remote network.

Click Add Range.

IP Address Range Properties

Start address

End address

Type 10.0.0.1.

Type 10.0.0.254.

IPsec Authentication

Specify which authentication method to use.

Select Use server certificate.

IPsec Certificate

Specify the server certificate that will be used for authentication.

Select Use existing certificate and click Browse to select the certification authority that issued the certificate.

Bb794783.note(en-us,TechNet.10).gifImportant:
You must select the same certification authority when you set up the site-to-site VPN connection from Miami to Sydney.

Ready to Configure the VPN Connection

Review your VPN settings.

Bb794783.note(en-us,TechNet.10).gifNote:
The configuration and creation of the VPN tunnel can take between 5 and 10 minutes.

Click Next to create the VPN connection.

Join Remote Domain

Specify if you want to remain in a workgroup or join the main office domain.

Select Remain in a workgroup.

Locate Configuration Storage Server

Configuration Storage server (type the FQDN)

Connection Credentials

User name

Password

Type miacss01.corp.contoso.com.

Select Connect using this account.

Type corp\administrator.

Type Passw0rd.

Securely Published Configuration Storage Server

Specify the published Configuration Storage server.

For more information on publishing your Configuration Storage server, see Appendix B Published Configuration Storage Server

Click Next.

Array Membership

None

Select Join an existing array.

Join Existing Array

Array name

Type SYD.

Configuration Storage Server Authentication Options

Select how this computer will authenticate to the Configuration Storage server.

Select Authenticate over SSL encrypted channel and select Use an existing trusted root CA certificate.

Ready to Configure ISA Server

Review your settings.

Click Next.

Completing the ISA Server Branch Office VPN Connectivity Wizard

None

Click Finish.

Create an Access Rule for the SYD Array

An access rule allows or denies traffic based upon protocol, source, destination, and user sets. In this rule, you allow all protocols for traffic between the second branch office to and from the main office. Perform the following procedure from the miacss01 computer.

To create an access rule

  1. In the console tree of ISA Server Management, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand SYD, and then click Firewall Policy (SYD).

  2. In the task pane, on the Tasks tab, click Create Access Rule. Create the rule as outlined in the following table.

Monitor Array for Policy Update

To make sure that the array member has been properly updated with the new policy, perform the following procedure.

To monitor the array for policy update

  1. In the console tree of ISA Server Management, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand SYD, and then click Monitoring.

  2. In the details pane, select the Configuration tab.

  3. When the new policy has been updated, you will see the following:

    • Status shows: Synced.
    • Description shows: Server configuration matches the Configuration Storage server configuration.

Test the Site-to-Site VPN Connection

Perform the following procedure from the client02 computer in the Sydney office.

To test the VPN connection

  • Open Internet Explorer and browse to the following URL: https://miadc01/certsrv. You should now see the page shown in the following figure.

    Bb794783.f4fd552a-b778-4615-acb9-145c2603f7d8(en-us,TechNet.10).jpg

Appendix A Create Answer File for Branch Office VPN Connectivity Wizard

There are two methods to create an answer file to use with the Branch Office VPN Connectivity Wizard:

  • Run the Create Answer File Wizard from within the ISA Server Management snap-in.
  • Run the Branch Office VPN Connectivity Wizard with the -create_answer_file switch.

Create an Answer File with the Create Answer File Wizard

In this section, you create an answer file that can be used when running the Branch Office VPN Connectivity Wizard at the corresponding branch office. The wizard takes as much information as possible from the selected VPN site-to-site network. This ensures that most of the information will match, and lowers the chance that the VPN connection will fail due to settings that are not compatible.

To create an answer file for a remote VPN site

  1. In the console tree of ISA Server Management, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Virtual Private Networks (VPN).

  2. In the details pane, select the Remote Sites tab.

  3. Select the remote site-to-site network.

  4. On the Tasks tab, click Create Answer File for Remote VPN Site. Use the wizard to create the answer file.

Important

When running this wizard, you need to think as if you are using the remote site ISA Server computer. In this section, when the Create Answer File Wizard refers to Remote, it is referring to the Miami office, and when the Create Answer File Wizard refers to Local, it is referring to the London or Sydney office. This answer file will be used in conjunction with the Branch Office VPN Connectivity Wizard at the branch office.

Page Field or property Setting

Welcome

None

Click Next.

Answer File Details

Type the full path to the answer file.

Type c:\London.inf.

Connection Type

Select the protocol used for the VPN connection.

This setting is already selected and you cannot change it.

Array Server Deployment

VPN connection is created for the first server deployed in the array. Subsequent servers must use this connection during the initial VPN configuration.

Select This is the first server deployed in the array.

Local Site-to-Site Authentication

Network name

Password

Confirm Password

Type MIA_Net.

Type Passw0rd.

Type Passw0rd.

Remote Site VPN IP Addresses

Specify the IP address ranges for the remote site VPN network.

Address ranges of remote VPN network

Remote VPN server (IP address or name)

Confirm that the address range is 10.0.0.1–10.0.0.254

Type 172.16.0.2.

Local Network VPN Settings

Specify how IP addresses are assigned to incoming VPN client connections.

Select Static IP address pool.

Click Add Range.

IP Address Range Properties

Specify the range of IP addresses:

Start address

End address

Type 11.1.0.1.

Type 11.1.0.254.

Remote Authentication

User name

Domain

Password

Confirm Password

Type LON_Net.

Type Corp.contoso.com.

Type Passw0rd.

Type Passw0rd.

IPsec Authentication

Specify the authentication method that will be used to establish the site-to-site VPN connection.

Select Use server certificate.

IPsec Certificate

Specify the server certificate that will be used for authentication.

Select Use existing certificate.

Bb794783.note(en-us,TechNet.10).gifNote:
You will need to make sure that the appropriate certificate is installed on the London ISA Server computer.

Join Remote Domain

After the site-to-site VPN connection is successfully established, you can have the ISA Server computer join the domain.

Domain name (FQDN)

Select Join a domain.

Type corp.contoso.com.

Join Domain

Enter the user name and password with rights to join the domain

User name

Password

Type corp\administrator.

Type Passw0rd.

Locate Configuration Storage Server

Configuration Storage server (type the FQDN)

Connection Credentials

User name

Password

Confirm miacss01.corp.contoso.com.

Select Connect using this account.

Type corp\administrator.

Type Passw0rd.

Securely Published Configuration Storage Server

If you have published a Configuration Storage server securely, you can enter the FDQN here.

Leave blank.

Array Membership

None

Select Join an existing array.

Join Existing Array

Array name

Type LON.

Configuration Storage Server Authentication Options

Select how this computer will authenticate to the Configuration Storage server.

Select Windows Authentication.

Completing the Create Answer File Wizard

Review the settings.

Click Back to change any settings. Click Finish to complete the wizard.
  1. Copy the file to one of the following locations on the branch office ISA Server 2006 computer, renaming the file IsaUsrConfig.inf. When the AppCfgWzd.exe is run, the wizard automatically searches the following locations in the following order for IsaUsrConfig.inf:
    1. Root of any removable drive.
    2. Directory named IsaAnswerFiles on the system partition, for example c:\IsaAnswerFiles.
    3. Root directory of the system partition, for example C:\. If it finds the file, the wizard selects From a File on the Configuration Settings Source page of the wizard.

Important

When you run the Create Answer File Wizard on an IPsec tunnel mode network, you need to remove the IP address of the main office ISA Server computer from the list of IP address ranges on the Remote Site VPN IP Addresses page, or the connection to the published Configuration Storage server will fail.

Important

The answer file contains confidential information and should be treated accordingly. Transfer the answer file to the branch office ISA Server computer only in a secure fashion.

Create the Answer File with the Branch Office VPN Connectivity Wizard

To create the IsaUsrConfig.inf answer file, run the AppCfgWzd.exe file with the -create_answer_file switch. When you run the wizard with the -create_answer_file switch, you go through the wizard page by page, entering the information you want in the answer file. You need to provide all the information, and you have a greater chance of entering the wrong information.

Because no configuration changes occur when you run the wizard with the -create_answer_file switch, you can create an answer file from any ISA Server 2006 array member.

To create and use an answer file for Branch Office VPN Connectivity Wizard

  1. Run the Branch Office VPN Connectivity Wizard with the -create_answer_file switch:

    1. Click Start, and then click Run. In the Command Prompt window, type cmd, and then click OK.
    2. At the command prompt, browse to the ISA Server 2006 installation folder. For example, type cd "c:\program files\Microsoft ISA Server" if you installed ISA Server to drive C using the default location.
    3. To run the Branch Office VPN Connectivity Wizard, at the command prompt, type AppCfgWzd.exe -create_answer_file.

  2. Enter the information as requested by the wizard.

  3. When the wizard completes, the output is saved to <root drive>:\Windows\temp directory with the name isaconfig_*.inf, where * is a random number, for example IsaConfig_705.inf.

  4. Copy the isaconfig_*.inf file to one of the following locations on the branch office ISA Server 2006 computer, renaming the file IsaUsrConfig.inf. When the AppCfgWzd.exe is run, the wizard automatically searches the following locations in the following order for IsaUsrConfig.inf:

    1. Root of any removable drive.
    2. Directory named IsaAnswerFiles on the system partition, for example c:\IsaAnswerFiles.
    3. Root directory of the system partition, for example C:\.
      If it finds the file, the wizard selects From a File on the Configuration Settings Source page of the wizard.

Important

The answer file contains confidential information and should be treated accordingly. Transfer the answer file to the branch office ISA Server computer only in a secure fashion.

Parameter Listing for Answer File

The following table lists the parameters of the IsaUsrConfig.inf file with the associated page in the wizard.

Wizard page Description Parameters values

None

Specifies the mode in which the wizard will run.

BasicUI   In this mode, you will see the progress of the wizard and cannot change any of the values that have been provided in the answer file. The wizard will run automatically after being started, without any user intervention.

FullUI   In this mode, the information will be completed automatically. However, you can change any of the information if required.

If this parameter is not specified in the .inf file, it will default to FullUI.

UnattendedMode={FullUI | BasicUI}

Connection Type

None

ConnectionType={VPN}

VpnProtocol={L2TP|IPSEC}

Array Server Deployment

Choose if this is the first server deployed in the array, or if a server is already deployed.

JoiningEmptyArray={1 | 0}

Local Site-to-Site Authentication

(L2TP setting)

Specifies the name of the site-to-site network that will be created on this appliance to represent the remote VPN site. A user account of the same name will be created on this appliance. This user account is used by the remote site to access the local VPN site. Specify a password for the account.

RemoteSiteNetworkName=SiteToSiteNetworkName

VpnLocalUserPassword=Password

Remote Site VPN IP Addresses (L2TP setting)

Specifies the IP address of the remote gateway, and the IP address range of the remote network.

RemoteSiteIpOrName=IP_Address

S2SNetIpRanges=StartIPAddress1-EndIPAddress1,StartIPAddress2-EndIPAddress2 …

Local Network VPN Settings (L2TP setting)

Specifies whether IP addresses are allocated to VPN client connections from a static pool, or by DHCP.

AddressAssignmentType={StaticPool|DHCP}

StaticAddressPool=StartIPAddress1-EndIPAddress1,StartIPAddress2-EndIPAddress2 …

Remote Authentication (L2TP setting)

Specifies what credentials the local site should use to authenticate to the remote site. This must be an account recognized by the remote site.

S2SUserName=Account_Name

S2SDomain=Account_Domain

S2SUserPassword=Account_Password

IPsec Authentication

(L2TP setting)

Selects whether to authenticate using a server certificate or a preshared key.

VPNAuthenticationType={Certificate|PresharedKey}

PresharedKey=Preshared_Key

VpnClientCertificate_UserPath=Certificate_Folder

IPsec Certificate (L2TP setting)

Specifies whether a new certificate should be installed from a .pfx file, or whether an existing certificate in the personal certificates store should be used.

VPNCertificate_InstallMode={InstallNew|UseExisting}

SERVER_CERTIFICATE_FULLPATH=PathtoPfxFile

VPNCertificate_Password=Passwordforpfxfile

VPNCertificate_CAName=ExistingCertificateName

IPsec Connection Settings (IPsec Tunnel Mode setting)

Specifies the name of the site-to-site network that will be created on this appliance to represent the remote VPN site. Specifies the IP address of the remote VPN gateway, and the IP address of the local VPN gateway.

RemoteSiteNetworkName=SiteToSiteNetworkName

RemoteSiteIPOrName=RemoteGatewayIPAddress

LocalGatewayIp=LocalGatewayIPAddress

Remote Site VPN IP Addresses (IPsec Tunnel Mode setting)

Specifies the IP address ranges for the remote site VPN network.

S2SNetIpRanges= StartIPAddress1-EndIPAddress1,StartIPAddress2-EndIPAddress2 …

IPsec Authentication

(IPsec Tunnel Mode setting)

Selects whether to authenticate using a server certificate or a preshared key.

VPNAuthenticationType={Certificate|PresharedKey}

PresharedKey=Preshared_Key

IPsec Certificate (IPsec Tunnel Mode setting)

Specifies whether a new certificate should be installed from a .pfx file, or whether an existing certificate in the personal certificates store should be used.

VPNCertificate_InstallMode={InstallNew|UseExisting}

SERVER_CERTIFICATE_FULLPATH=PathtoPfxFile

VPNCertificate_Password=Passwordforpfxfile

VPNCertificate_CAName=ExistingCertificateName

Join Remote Domain

Specifies whether to join a domain or remain in workgroup mode.

JoinDomainAction={JoinDomain|RemainInWG}

JoinDomainName=Domain_Name

JoinDomain_UserAccount=Account_Name

JoinDomain_Password=Account_Password

Locate Configuration Storage Server

Specifies the Configuration Storage server and the credentials to be used for the connection.

STORAGESERVER_COMPUTERNAME=ConfigurationStorageServer_Name

STORAGESERVER_CONNECT_ACCOUNT=Account_Name. A domain account should be in the format domainname\username

STORAGESERVER_CONNECT_PWD=Account_Password

Securely Published Configuration Storage Server

Specifies the published Configuration Storage server settings.

The CLIENT_CERTIFICATE_PATH_PROP parameter is used only when the PublishedCssRootCACertPath parameter is used.

VpnBackupCssName=PublishedConfigurationStorageServerName

PublishedCssRootCACertPath=PathToTrustedRootCert

CLIENT_CERTIFICATE_PATH_PROP=PublishedCssRootCACertPath

Array Membership

Adds this appliance to an existing array, or creates a new array and adds the appliance to it.

ARRAY_MODE={Join|New}

Create new array

Specifies a name for the new array, and its DNS name. Optionally, adds a description.

ARRAY_NAME=Array_Name

ARRAY_DESCR=Array_Description

ARRAY_DNS_NAME=DNS_Name

Join Existing Array

Specifies an array that this appliance should join.

ARRAY_NAME=Array_Name

Configuration Storage Server Authentication Options

Selects how this appliance authenticates to the Configuration Storage server. If the appliance resides in the same domain as the Configuration Storage server (or trusted domains), uses Windows authentication. Otherwise uses a server certificate over an SSL-encrypted channel.

ARRAY_AUTHENTICATIONMETHOD={Windows|Certificate}

CLIENT_CERTIFICATE_FULL_PATH=TrustedRootCert_Location

Sample Answer File for L2TP Connection

The following is a sample answer file for an L2TP connection.

[Appliance_Parameters];

;

; Connection Type L2TP

;

ConnectionType=VPN

VpnProtocol=L2TP

JoiningEmptyArray=1

RemoteSiteNetworkName=MIA_Net

VpnLocalUserPassword=1

RemoteSiteIpOrName=172.16.0.2

S2SNetIpRanges=10.0.0.1-10.0.0.254

AddressAssignmentType=StaticPool

StaticAddressPool=11.1.0.1-11.1.0.254

S2SUserName=LON_Net

S2SUserDomain=corp

S2SUserPassword=Passw0rd

;

; Authentication is with pre-shared key

;

VPNAuthenticationType=PresharedKey

PresharedKey=123456

;

; Joining a Domain

;

JoinDomainAction=JoinDomain

JoinDomainName=corp.contoso.com

JoinDomain_UserAccount=corp\administrator

JoinDomain_Password=Passw0rd

;

; Connect to Configuration Storage server and join an existing array

;

STORAGESERVER_COMPUTERNAME=miacss01.corp.contoso.com

STORAGESERVER_CONNECT_ACCOUNT=corp\administrator

STORAGESERVER_CONNECT_PWD=Passw0rd

PublishedCssRootCACertPath=

VpnBackupCssName=

ARRAY_MODE=Join

ARRAY_NAME=LON

ARRAY_AUTHENTICATIONMETHOD=Windows

CLIENT_CERTIFICATE_FULLPATH=

Sample Answer File for IPsec Tunnel Mode Connection

The following is a sample answer file for an IPsec tunnel mode connection.

[Appliance_Parameters]

;

;Connection type IPsec Tunnel Mode

;

ConnectionType=VPN

JoiningEmptyArray=1

VpnProtocol=IPsec

RemoteSiteNetworkName=MIA_Net

RemoteSiteIpOrName=172.16.0.2

LocalGatewayIp=172.16.2.2

S2SNetIpRanges=10.0.0.1-10.0.0.254

;

; Authentication is with pre-shared key

;

VPNAuthenticationType=PresharedKey

PresharedKey=123456

;

; Remain in a workgroup configuration

;

JoinDomainAction=RemainInWG

JoinDomainName=

;

; Connect to Configuration Storage server and join an existing array

;

STORAGESERVER_COMPUTERNAME=storage01.corp.contoso.com

STORAGESERVER_CONNECT_ACCOUNT=corp\administrator

STORAGESERVER_CONNECT_PWD=Passw0rd

PublishedCssRootCACertPath=

VpnBackupCssName=

ARRAY_MODE=Join

ARRAY_NAME=SYD

ARRAY_AUTHENTICATIONMETHOD=Certificate

CLIENT_CERTIFICATE_FULLPATH=

Appendix B Published Configuration Storage Server

 ISA Server 2006 supports connecting to an alternate securely published Configuration Storage server in the event that the VPN tunnel normally used to connect to the Configuration Storage server is unavailable due to configuration errors. This needs to be configured and tested before any configuration issues arise.

If the connection between the ISA Server array member and the Configuration Storage server is through a site-to-site VPN connection, you can define another method to connect to the Configuration Storage server in the event that the VPN connection becomes unavailable. The array member will then connect to a securely published Configuration Storage server over the Internet. This enables the array member to continue to get configuration updates from the Configuration Storage server. When the site-to-site VPN connection is restored, the array member switches back and connects to the primary Configuration Storage server through the site-to-site VPN connection.

The array member will only use the securely published Configuration Storage server in the following situation:

  • The primary Configuration Storage server or alternate Configuration Storage server (if the array member is already connected to the alternate Configuration Storage server) is unavailable for 30 minutes.
  • The alternate Configuration Storage server is unavailable. (This occurs only if the alternate Configuration Storage server has been configured on the Configuration Storage page.)
  • Over a VPN site-to-site connection is selected on the Published Configuration Storage page of the array properties.
  • The FQDN of the securely published Configuration Storage server is entered in the Alternate securely published Configuration Storage server field.

Important

These configuration settings must be completed before the VPN connection is broken to take advantage of the alternate securely published Configuration Storage server.

For more information about how to securely publish a Configuration Storage server, see "Securely Publish ISA Server Configuration Storage Server" at the Microsoft TechNet Web site.

For more information about how to change the amount of time before an array member will switch between the primary Configuration Storage server and the alternate Configuration Storage server, see "Setting Configuration Storage Server Delay Times" at the Microsoft TechNet Web site.

Appendix C Change Preshared Keys or Certificates

In this section, the following is discussed:

  • Change the Preshared Key for L2TP and IPsec Tunnel Mode
  • Change IPsec Authentication from Preshared Key to Certificate

Important

If these changes are not done in the proper order, the VPN site-to-site connection might be broken and your branch office array member will lose its connection to the Configuration Storage server in the main office. For this reason, we recommend that you publish your Configuration Storage server before making any changes to your VPN site-to-site connection properties. For more information, see Appendix B Published Configuration Storage Server

Important

We recommend exporting your configuration before making configuration changes. For more information about how to export your configuration, see the product Help.

Change the Preshared Key for L2TP and IPsec Tunnel Mode

If your preshared key has been compromised, or you would like to change the preshared key, use the following procedure.

L2TP site-to-site incoming connections use the same preshared key. In a scenario of one main office and five branch offices, all of the branch offices use the same preshared key to initiate the site-to-site connection to the main office. VPN access clients configured to use L2TP also use the same preshared key. When the main office initiates a connection to the branch office, the main office must use the preshared key that is configured on the branch office array.

In IPsec tunnel mode, each site-to-site connection has a unique preshared key for that connection and there is no difference between who initiates the connection.

To change a preshared key

  1. Export the enterprise configuration.

  2. Change the preshared key on all of the site-to-site connections in all of the affected branch offices.

  3. For L2TP, follow these steps:

    1. In the console tree of ISA Server Management, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name of the branch office array, and then click Virtual Private Networks (VPN).

    2. In the details pane, select the Remote Sites tab.

    3. Select the remote site-to-site network that connects to the main office.

    4. On the Tasks tab, select Edit Selected Network.

    5. Select the Protocol tab.

    6. Change the value in the Use pre-shared key IPsec authentication instead of certificate authentication field and click OK.

    7. Perform steps a through d for each branch office.

    8. Click Apply in the details pane to save and apply configuration changes.

      Note

      At this point, you might experience a temporary site-to-site VPN connection outage.

    9. Confirm that the changes have propagated to each array member before continuing. For more information, see Monitor Array for Policy Update.

    10. Expand the main office array.

    11. In the details pane, select the Remote Sites tab.

    12. On the Tasks tab, select Select Authentication Methods.

    13. Change the value of the Pre-shared key, and click OK.

    14. Click Apply in the details pane to save and apply the configuration changes.

  4. For IPsec tunnel mode, follow these steps:

    1. In the console tree of ISA Server Management, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name of the branch office array, and then click Virtual Private Networks (VPN).

    2. In the details pane, select the Remote Sites tab.

    3. Select the remote site-to-site network that connects to the main office.

    4. On the Tasks tab, select Edit Selected Network.

    5. Select the Authentication tab.

    6. Change the value in the Use pre-shared key for authentication field and click OK.

    7. Click Apply in the details pane to save and apply configuration changes.

      Note

      At this point, you might experience a temporary site-to-site VPN connection outage.

    8. Confirm that the changes have propagated to each array member before continuing. For more information, see Monitor Array for Policy Update.

    9. Expand the main office array.

    10. In the details pane, select the Remote Sites tab.

    11. Select the remote site-to-site network that connects to the branch office.

    12. On the Tasks tab, select Edit Selected Network.

    13. Select the Authentication tab.

    14. Change the value in the Use pre-shared key for authentication field and click OK.

    15. Click Apply in the details pane to save and apply configuration changes.

Change IPsec Authentication from Preshared Key to Certificate

If you deployed your site-to-site VPN connection using a preshared key and would like to change it now to use certificate-based authentication, use the following procedure.

For IPsec tunnel mode site-to-site VPN connections, you do not have to change all of your connections to certificates at the same time. You can do one branch office at a time. When you have finished, you can remove the preshared key setting.

To change IPsec authentication from preshared key to certificate

  1. On the branch office array member, install the appropriate certificate.

  2. On the main office array member, install the appropriate certificate.

    Important

    Certificates must be from the same CA. We recommend using a dedicated private CA for IPsec authentication certificates.

  3. For L2TP, follow these steps:

    1. In the console tree of ISA Server Management, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name of the branch office array, and then click Virtual Private Networks (VPN).

    2. In the details pane, select the Remote Sites tab.

    3. Select the remote site-to-site network that connects to the main office.

    4. On the Tasks tab, select Edit Selected Network.

    5. Select the Protocol tab.

    6. Clear the Use pre-shared key IPsec authentication instead of certificate authentication check box and click OK.

    7. Click Apply in the details pane to save and apply configuration changes.

      Note

      At this point, you might experience a temporary site-to-site VPN connection outage.

    8. Confirm that the changes have propagated to each array member before continuing. For more information, see Monitor Array for Policy Update.

    9. Confirm that the site-to-site network is working properly.

  4. For IPsec tunnel mode, follow these steps:

    1. In the console tree of ISA Server Management, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name of the branch office array, and then click Virtual Private Networks (VPN).

    2. In the details pane, select the Remote Sites tab.

    3. Select the remote site-to-site network that connects to the main office.

    4. On the Tasks tab, select Edit Selected Network.

    5. Select the Authentication tab.

    6. Select Use a certificate from this certificate authority (CA) and click Browse to select the appropriate CA.

    7. Click Apply in the details pane to save and apply configuration changes.

      Note

      At this point, you might experience a temporary site-to-site VPN connection outage.

    8. Confirm that the changes have propagated to each array member before continuing. For more information, see Monitor Array for Policy Update.

    9. Expand the main office array.

    10. In the details pane, select the Remote Sites tab.

    11. Select the remote site-to-site network that connects to the branch office.

    12. On the Tasks tab, select Edit Selected Network.

    13. Select the Authentication tab.

    14. Select Use a certificate from this certificate authority (CA) and click Browse to select the appropriate CA.

    15. Click Apply in the details pane to save and apply configuration changes.

Appendix D Troubleshooting

This section includes information about log files and an error message.

Log Files

When running the Branch Office VPN Connectivity Wizard, the Setup program automatically generates an additional log file. This log file is in addition to the regular log files that are generated by the Setup program. Windows Installer logs errors that occur when the ISA Server 2006 Setup program runs. Windows Installer also logs other information. You can view log files in Notepad. The information that the installer writes to the log files can help you troubleshoot a failed installation.

The Branch Office VPN Connectivity Wizard log file is created in the %windir%\temp folder and is named ISAACW_nnn.log, where nnn is the unique three-digit setup ID.

Error Message

If you receive the following error message, confirm that the protocols in the following table are allowed from the branch office array member to the Configuration Storage server.

Error message: A connection to the specified Configuration Storage server could not be established. This may be because the local computer needs to be added to the Managed ISA Server Computers computer set.

Protocol Authentication type used for connections between ISA Server and Configuration Storage server

MS Firewall Storage Server

Windows authentication

MS Firewall Secure Storage Server

Authentication over SSL encrypted channel